Routing throw 2 PfSense



  • Hello,

    I'm not sure if I have to post this question here or in OpenVPN, but I think it's a routing problem :

    Everything is explained on this little picture I made :

    • I have my PC : 10.0.1.1/24
    • My two networks are linked by an OpenVPN tunnel.
    • I can ping every interfaces in the LAN network of my Pfsense client.
    • I CAN'T ping my "4G modem" who is on the WAN interface of my Pfsense client.

    Who can I ping an interface on the WAN network of my pfsense client from my PC ?
    (I already try to put a "route add -net 192.168.1.0/24 10.0.2.254" on my "pfsense principal")

    Is this a firewall configuration problem, a routing configuration problem or an OpenVPN configuration problem ?

    Thank you ! :)



  • Presumable it's a routing issue.

    I guess the modem sends responses to the pings to its upstream gateway, since it has no route for it.  To solve, a static route for the server side LAN network had to be added to the modem itself, but it will not have an option to do so, I think.
    Other solution would be to do NAT on the WAN interface. Add an outbound NAT rule to WAN for the server side LAN network and let it translate to the interface address.



  • Thank you very much for you answer !

    I don't understand why the "4G modem" don't know how to respond to my "PfSense client" on the WAN of the Pfsense client (who is just the "lan" for "4G modem").

    They are on the same network. "PfSense client" not act on the 3rd layer to indicate his IP address during the routing encapsulation process ?

    I'll try this :

    Other solution would be to do NAT on the WAN interface. Add an outbound NAT rule to WAN for the server side LAN network and let it translate to the interface address.

    But I don't really know how to do it in pfsense :/



  • Above you wrote, the modem doesn't response to ping from the PC in 10.0.1.1/24.
    Now you say, it doesn't response to the VPN client? To ping from the client it should response anyway, if the WAN is set up anyhow well.



  • Yes, the goal is to respond to my client 10.0.1.1. But in the process to respond to my client, he has to first respond to "pfsense client" who will route the packet to "pfsense principal", etc.

    I'm sorry if i'm not clear (hardest for me in english).

    My idea was : If "4g Modem (192.168.0.1)" can respond to "Pfsense client (on 192.168.0.100)", and if "Pfsense client (on 10.0.2.1 and 10.0.200.2)" can respond to my "Poste de travail local (10.0.1.1)", the it must be a rooting problem only on the "Pfsense client" no ?
    If it was on "4G modem" then the modem would not respond to ping from "Pfsense client" ?

    I'm wrong ?!?



  • @boulate:

    My idea was : If "4g Modem (192.168.0.1)" can respond to "Pfsense client (on 192.168.0.100)", and if "Pfsense client (on 10.0.2.1 and 10.0.200.2)" can respond to my "Poste de travail local (10.0.1.1)", the it must be a rooting problem only on the "Pfsense client" no ?

    It works similar to this.

    If your PC in 10.0.1.1/24 sends a packet to the 4G modem, the packet has the source address 10.0.1.1 and the destination IP 192.168.0.1 when it arrives at the modem. Since you have a site to site VPN, the VPN tunnel network itself is irrelevant here. The packets are just routed over that subnet.
    So the 4G modem will send its response to 10.0.1.1, but since this address doesn't fit to any of the subnets on its interfaces and it has no special route for this host, it will send the packet to its upstream gateway. Presumable that's the internet provider.
    However the modem will response correct to the pfSense clients WAN 192.168.0.100, because this is a subnet connected to its own interface.

    So let's do NAT to get it work:
    Go to Firewall > NAT > Outbound, if the rule configuration type is set to Automatic set it to Hybrid or manual and hit save.
    Then add a new rule with
    interface = WAN
    source = 10.0.1.0/24
    destination = 192.168.0.0/24 (or any if you also want to access internet hosts over the VPN)
    translation = interface address
    Save it.

    This NAT rule will translate the source address in packets coming from 10.0.1.0/24 to the clients WAN address. So your modem will send responses to that back to the client pfSense and this one will send it back over the VPN to the PC 10.0.1.1.


Log in to reply